DFIR Reporting

Windows Incident Response

A request that’s been pretty consistent within the industry over time has had to do with reporting. I’d see a request, some responses, someone might ask for a template, and then the exchange would die off…I assumed that it had moved to DMs or offline. Then you’d see the discussion pop up again later, in some other forum.

I get it…writing is hard. I have the benefit of having had to write throughout my career, but also of putting intentional, dedicated effort into DFIR reporting, in that I had been very purposeful in seeking feedback from my boss, and incorporating that feedback into report writing. I was able to get to the point of having reports approved with minimal (if any) changes pretty quickly. 

As a result, in 2014, Windows Forensic Analysis Toolkit 4/e was published, and in this edition, I included a chapter on reporting. It was (and still is) a general overview addressing a lot of things that folks miss when it comes to technical reporting, going from the importance of spelling and grammar to the nature of an “Executive Summary” and beyond.

About a year ago, Josh Brunty wrote a blog post on Writing DFIR Reports; 7 yrs later, and his blog post included some of the same thoughts and recommendations I’d shared in my book. It was validating to see that others had had (and shared) similar thoughts regarding reporting. Different words, different experiences, different person, but similar thoughts and direction. Cool.

So why does any of this matter? Not to put too fine a point on it, but it doesn’t matter how good or thorough you are, it doesn’t matter if you’re technically light years beyond the bad guys. If you can’t communicate your findings to those to whom it matters, in an actionable manner…who cares? What does any of it matter?

Coworkers and others in the community have long chided me for my insistence on correct spelling and use of terminology (i.e., specificity of language), in some instances saying, “yeah, well you know what I meant…”. Okay, but a report or Jira ticket regarding an incident is not intended to be a placeholder for “what you meant”, because 6 months or a year from now, you may not remember what you meant. Or, as is more often the case, someone other than you who

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.